Privileges define what users can do, such as arming zones, blocking cameras, and unlocking doors, over the part of the system they have access rights to.
- Application privileges
- Grant access to the Security Center applications.
- General privileges
- Grant access to the generic Security Center features.
- Administrative privileges
- Grant access to entity configuration in Config Tool.
- Task privileges
- Control accessibility to the various Security Center tasks.
- Action privileges
- Control the actions that can be performed on the system entities.
For a list of available privileges, see the Security Center 5.12 Privileges.
You can also refer to the Privileges page of a user or user group in the Config Tool User management task.
Privilege hierarchy
- For a child privilege to be allowed, the parent privilege must be allowed.
- If a parent privilege is denied, all child privileges are denied.
- A child privilege can be denied when the parent privilege is allowed.
Privilege inheritance
- A privilege that is undefined at the group level can be allowed or denied at the member level.
- A privilege that is allowed at the group level can be denied at the member level.
- A privilege that is denied at the group level is automatically denied at the member level.
- When a user is a member of multiple user groups, the user inherits the most restrictive privilege settings from its parents. This means that Deny overrules Allow, and Allow overrules Undefined.
Exceptions to privilege rules
- Administrative users
- Members of the Administrators user group (which include the Admin user) have full administrative rights over the system. They can configure Security Center as they see fit. The Admin user and the Administrators user group are created at system installation. They have all the privileges and cannot be modified nor deleted.
- Actions reserved for administrative users
- There are actions that only administrative users can perform because they can
potentially affect the entire system. These actions are not associated to any
privilege.
- Adding, modifying, and deleting macros.
- Creating generic event-to-actions (without a specific source entity).
- Running the Diagnostic data collector.
Privilege exceptions for partitions
A user (or user group) has a set of basic privileges that is the result of the privileges inherited from their parent user groups, plus the ones explicitly allowed or denied to the user.
When a user is given access to a partition, their basic privileges are applied by default to the partition. As a system administrator, you can overwrite the privileges a user has over a specific partition. For example, a user can be allowed to configure alarms in partition A, but not in partition B. This means that a user can have a different set of privileges for each partition they have access to. Only Administrative and Action privileges, plus the privileges over public tasks, can be overwritten at the partition level.
The Manage partition memberships option
SdkPrivilege.ManagePartitionMemberships
privilege using the
SetPrivilegeState()
method.